TL;DR: Biometric spoofing turns fingerprints, faces, and iris scans into presentation-attack targets, and the article explains why liveness detection is now central to stronger identity assurance, according to 1Kosmos. The issue is not that biometrics fail outright, but that assurance collapses when systems cannot prove the sample came from a live person.
NHIMG editorial — based on content published by 1Kosmos: Biometric spoofing and liveness detection in identity assurance
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should organisations defend biometric authentication against spoofing attacks?
A: Defence starts with liveness detection, but it must extend to the entire capture path.
Q: Why do biometrics still need liveness detection in identity assurance?
A: Because a biometric sample proves similarity, not presence.
Q: What do security teams get wrong about passwordless biometric login?
A: They often assume passwordless means spoof-resistant by default.
Practitioner guidance
- Define where biometrics are allowed to satisfy assurance Limit biometric authentication to use cases where the assurance level, capture device, and fraud tolerance are explicitly defined.
- Require liveness testing matched to the modality Use active or passive liveness controls that are appropriate to the biometric in question, and validate them against print, replay, mask, and injection scenarios.
- Protect the full capture and transmission path Harden cameras, sensors, SDKs, and API channels against manipulation, script injection, and tampering.
What's in the full article
1Kosmos's full article covers the operational detail this post intentionally leaves for the source:
- Side-by-side examples of print, replay, 3D mask, and deepfake facial spoofing techniques
- Practical discussion of active versus passive liveness detection tradeoffs for verification flows
- Implementation detail on anti-spoofing algorithms, true-depth camera checks, and SDK protections
- Compliance references to NIST 800-63-3, iBeta ISO/IEC 30107-3, UK DIATF, GDPR, and KYC/KYE
👉 Read 1Kosmos's guide to biometric spoofing and liveness detection →
Biometric spoofing and liveness checks: are your controls keeping up?
Explore further
Biometric spoofing is an assurance problem, not just a sensor problem. The article makes clear that a biometric factor can be copied, replayed, or synthetically generated if the system only checks resemblance. That means the control failure sits in the assurance model, not the biometric modality itself. Practitioners should treat presentation attacks as a gap in proofing design, not as proof that biometrics should be abandoned.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs , Why NHI Security Matters Now.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How do liveness checks affect identity proofing under NIST-style assurance models?
A: Liveness checks strengthen proofing by confirming that the biometric sample came from a live subject during the verification process. In higher-assurance flows, that matters because the identity claim is only as strong as the evidence supporting it. NIST SP 800-63 style design treats that evidence as part of the trust chain, not a cosmetic step.
👉 Read our full editorial: Biometric spoofing exposes the limits of biometric identity assurance